Archive for the 'Hacking & Infosec' Category
Information Security Certifications - L33t H4×0ring!
It's about I got myself a new cert, it's almost a year since I got myself OPST Certified..
OPST stands for OSSTMM Professional Security Tester, recursive eh? OSSTMM stands for Open Source Security Testing Methodology Manual.
If you've never heard of the OSSTMM, you don't really need this cert 
The OPST is a certification of applied knowledge designed to improve the work done as a professional security tester. This is an important certification for those who want or need to prove they can walk the walk in security testing, the discipline which covers network auditing, ethical hacking, web application testing, intranet application testing, and penetration testing. And it is a critical, eye-opening class for security auditors, network engineers, system and network administrators, developers, network architects, security analysts, and truly anyone who works in IT from systems to networks.
Cool eh? Kinda nerve wracking after submitting the results directly the servers in Spain and waiting 3 weeks for the pass/fail..
Yes that's X-windows on a *nix station, the exam was done purely on Linux, Windows was used for some surfing, the exam is 90% practical a tunelled connection to spain, kinda slow..the other 10% is about some ethics and parts of the OSSTMM.
Yes of course I passed, top grade in the class I think..
Ah well, wonder which certificate to do next, kind of hard to find decent computer security courses in Asia, I think SANS is in Singapore soon though..
Don't even mention MSCE, I'll spit on you I wouldn't mind RHCE or LPI next though, or perhaps go the Cisco route or something else proprietary..
I h4×0red The ATM!
Yah I did...
Sadly it didn't pour out loads of money..it just told me the resolution I was using was too low.
Can you believe ATMs are using Windows XP? No wonder they are down so often....
What happened to OSes built in Assembly and Embedded Device Operating Systems?!
28 commentsXia Xue got totally PWNED - BACKUP YOUR STUFF NOW
The famous egotistical XX blogger Xia Xue got owned last night..
SHE GOT OWNED HARD, LIKE IN THE ASS WITH A CHILLI PEPPER COVERED BAT.
She is full of shit, she is full of herself, she isn't hot, she writes a lot of angsty crap but does have some great posts, whatever she's done however and however much of a cunt she is, she doesn't deserve this...
3 years of blog entries gone
3000 e-mail and contacts gone
Dear readers of xiaxue.blogspot.com,
Yes, indeed, my blog has been hacked. I understand some of you might be sending emails to me right now, alerting me, and the thought warms my heart (which is very startlingly cold right now mind you).
Unfortunately, the hacker is quite clever. He also managed to guess the password to my gmail account. My 3,000 emails, some of which very important business contacts, are all gone.
I don't like her, but I do pity her, whoever did this good job, but well it's not really a cool thing to do...
I'm a l33t h4x0r so I backup often, the reason I don't use blogspot is because I want to backup my posts and comments easily.
Anyway best practise is BACKUP YOUR SHIT OFTEN.
That goes for your PC too, you don't know when your hard-drive is going to conk out, organise your shit and burn it to CD.
DO IT NOW DON'T CRY TO ME WHEN YOU LOST YOUR PHOTOS OF LITTLE JOE HUMPING HIS SISTER.
Backup your blog, backup, backup backup everything, twice, three times, DO IT.
Buy some CD-RW and do it often, that's how I do it.
You can even leave the damn CD-RW in the drive permanently unless you want to burn something else and schedule it.
That's also why I shifted to Thunderbird, it's so much easier to backup than Outcrap Express.
Anyway I Xia Xue I think you are a cunt, but I pity you, and frankly your situation sucks.
Hope you manage to restore everything back to normal service, I do enjoy your posts from time to time
How I Hacked The Star’s E-mail
Ok it sounds like a sensational topic, but it's actually true, it happened quite some time back (January), but I sat on it for some time to give them a chance to fix it.
Even though I believe in full disclosure, we have to be responsible to vendors and organisations too.
Basically it went down like this, I sent an E-mail to the editor of The Star about my feelings on the Malaysian Summons system and my post about it.
He clicked on the link from a web based e-mail system and came to read the article, in doing so he passed a referal string to my site (This is a string holding the information of where you just came from, so if you came from a google search on donkeys I'll get the referal string http://www.google.com.my/search?hl=en&q=donkeys&meta=).
So in the referal string I got from the web based e-mail page, contained the session ID for the Editor who was reading his mail, this session ID wasn't cookie based, or machine based, it was just a Session ID, which enabled me to log straight into the Editors e-mail..
The referal string I got was something like this:
http://strmal.thestar.com.my/Xf3969c9b9d9b929c9a9e6012d8ab/rmail.41444.cgi?&mbx=Main
Xf3969c9b9d9b929c9a9e6012d8ab in this case is the session ID, simply by entering this link into my browser I could access the editors mail account, I tested and I could change everything except the password (as I don't know the existing password) but by sending mail from this account I could probably social engineer the password to be changed.
I could read all of the mail in the inbox and other folders
And change any settings I want..
I ever gave them a more accurate signature:
If everyone is using this webmail system I could easily hijack their accounts too, this would be done by sending a HTML mail with a simple image imbedded inside, hosted on my domain, when the mail loaded it would load the image remotely (which your webmail allows I checked) and I would have the referer URL again in my weblogs with the relevant session ID.
Again I could just paste this into my browser and access the account of anyone using this webmail software.
It shows the current state of Information (in)Security in Malaysia.
I did of course e-mail them as soon as I found at and told them how to fix it.
This is just for your information.
On a similar note, if any of you have heard of The Global Malaysian Network, again under the control of The Star was programmed insecurely.
The Global Malaysian Network is an initiative by The Star Malaysia (www.thestar.com.my) to facilitate networking and to tap into the resources, knowledge, skills, investment and contacts that Malaysians can offer to other Malaysians wherever they are in the world. The directory requires members to submit their personal details including their name, marital status, postal address, contact details, professional/occupation information and even educational background details.
Due to bad programming practices and unchecked variables there are several SQL injection vulnerabilities in the web application that powers the GM Directory. By manipulating the input strings a malicious attacker could potentially compromise the security of the database server and disclose any content within the database including private and sensitive information of the Directory members.
Owned by my friends over at Hack in the Box yesterday.
So The Star, I reckon you need to buck up your ideas when it comes to Infosec 
I R L33T H4X0R - Geek & Hacking T-shirts
No seriously I am, here's the proof.
LOL
Yeah I can't think of anything to write, well I can but I'm busy cleaning up, yes I'm domesticated..
I designed the shirt myself, it's a part of my collection of Geek, Hacking, Computer Security and various other things related T-shirts, Mouse Mats, Jumpers and Even thongs!
I also have these:
Sleep? What is it….
Sleep..
I..
Need...sleeep *yawn*
Stupid deadlines, stupid risk assessment, stupid lack of templates, stupid no guidelines, stupid project, stupid assholes, stupid lack of questionaire answers, stupid stupid *yawn*
I slept for 3 hours yesterday morning, then another few hours in the evening, then reading and writing about a crappy risk assessment till 4am then slept a while and came to work at 8.30am...
I NEED SLEEP, WHERE CAN I DOWNLOAD THAT!
Was playing with my connection over the weekend aswell seen as though I was stuck in front of the PC the whole time anyway..
I'm having a major problem with HTTP downloads stalling, Torrents, FTP, MSN, IRC everything else seems ok, I'd hazard a guess to it's something to do with a transparent proxy at Tm.nut side.
Connection seems to have gotten worse since the 1MB upgrade came through..
Speeds seem to be getting better though, I get 1+MB to Malaysian sites with 45ms latency
I get 750+kbps to Japan/Korea sites with 200+ latency
I get 200-600kbps to US/Europe sites with 300+ latency..
The international link latency still leaves a lot to be desired....
Found some great resources though, will post a summary soon..
I'll hassle them about it soon.
Dial-up still blows a big nut.
13 commentsSearch Engine Stuff - Google Answers & Yagoohoogle
Google has started providing factual answers..
For example if you type 'population malaysia' in the search box, it will no longer lead you to the pages that contain the info, it will actually give you the answer and the page it got the info from:
Malaysia
Population: 23,522,482 (July 2004 est.)
According to http://www.cia.gov/cia/publications/factbook/fields/2119.html
Also works for other stuff like people, search 'who is bruce lee'
Bruce Lee
Property: ... is widely considered to be the greatest martial arts film actor of the 20th century.
According to http://en.wikipedia.org/wiki/Bruce_Lee
It is however in early stages, but it looks like it will be a better alternative to AskJeeves, which was based on this metho d of searching (actually posing the search engine a question).
I also stumbled upon another new toy, Yagoohoogle, which seems to be down at the moment.
It's a site split into 2 panes, so you chuck a search term in the first page it shows you both the Yahoo! and Google results. Pretty neat.
BTW has awesome lasagne from hotel room service last night, yum! See you all on Monday.
4 commentsFirefox 1.0.2 Released - Reclaim the web!
And as we are on a geek tip, Firefox 1.0.2 has been released with some security updates.
Mozilla has begun rolling the Firefox 1.02 security update. It has appeared with the little fanfare and without the staggered rollout of 1.01 - have Mozilla sorted their distribution worries?
Source: http://it.slashdot.org/it/05/03/23/2330245.shtml?tid=154&tid=172
You can download it HERE
Why Use Firefox?
“Beware of spyware. If you can, use the Firefox browser.” - USA Today
“Better than Internet Explorer by leaps and bounds.” - FORBES
Popup Blocking
Stop annoying popup ads in their tracks with Firefox's built in popup blocker.
Tabbed Browsing
View more than one web page in a single window with this time saving feature. Open links in the background so that they're ready for viewing when you're ready to read them.
Privacy and Security
Built with your security in mind, Firefox keeps your computer safe from malicious spyware by not loading harmful ActiveX controls. A comprehensive set of privacy tools keep your online activity your business.
Smarter Search
Google Search is built right into the toolbar, and there is a plethora of other search tools including Smart Keywords (type "dict
Live Bookmarks
RSS integration lets you read the latest news headlines and read updates to your favorite sites that are syndicated. (This means you can easily watch blogs for new posts as long as they have RSS/XML/Atom feeds)
Hassle-Free Downloading
Files you download are automatically saved to your Desktop so they're easy to find. Fewer prompts mean files download quicker.
Fits Like a Glove
Simple and intuitive, yet fully featured, Firefox has all the functions you're used to - Bookmarks, History, Full Screen, Text Zooming to make pages with small text easier to read, etc.
S, M, L or XL—It's Your Choice
Firefox is the most customizable browser on the planet. Customize your toolbars to add additional buttons, install new Extensions that add new features, add new Themes to browse with style, and use the adaptive search system to allow you to search an infinite number of engines. Firefox is as big or small as you want.
Setup's a Snap
At only 4.7MB (Windows), Firefox takes just a few minutes to download over a slow connection and seconds over a fast connection. The installer gets you set up quickly, and the new Easy Transition system imports all of your settings - Favorites, passwords and other data from Internet Explorer and other browsers - so you can start surfing right away.
Get funky extensions here: https://addons.mozilla.org/extensions/?application=firefox
My favourites would be:
1) Adblock
2) BBCode
3) Bugmenot
4) Dictionary Search
5) Forecastfox
6) LiveHTTPHeaders
And you can read more about WHY you should use it HERE.
Get it now, reclaim the web!
TMnet StreamyX Intermittent Service..
I've heard a lot of people complaining lately about Stimx being intermittent lately and very slow..
I've also experienced the same problem, sometimes can't access any US sites and when I can it's very slow..
For example even now, when it's up latency is horrendous..
I just found out why, hopefully things should be better after this!
Thursday, March 24, 2005
TMNET SERVICE DISRUPTION
TM Net Sdn Bhd would like to inform its customers that we will be conducting a scheduled maintenance and upgrading exercise at the International link to the United States to improve our service performance. As a result, customers may experience a slower performance especially to its U.S. links from 12:00 noon on 24 March 2005 (Thursday) until 28 March 2005 (Monday).
TM Net customers may experience service interruption during this period due to the upgrading exercise.
TM Net Sdn Bhd apologizes for any inconvenience caused but at the same time, we would like to assure you that we are upgrading our service to serve you better.
Source: TMnet
So according to this, things should be better than before after March 28th, bring it on!
When am I actually going to get the 1MB line I am paying for rather than a measly 512k though, that's what I want to know..
ADSL Status Mode State Up Speed Down Speed SNR Margin Loop Att.
T1. 413 SHOWTIME 128000 512000 19.0 60.0
W00t...
3 commentsRSS Top 55 - Best Blog & RSS Submission Sites
I did post about blogging tools before, but a friend just sent me this yesterday, it's a very useful list indeed if you wish to get syndicated and get a larger readership for your little corner of cyberspace.
As more and more people get involved with the Internet and as more Web sites, blogs, news services and other online resources continue to grow in number and variety it becomes increasingly important to maintain high visibility and exposure for the content being generated by closely following the major distribution media.
Until now the web was populated by Web sites and other HTML-based content pages, and the main vehicle for reaching content has been the large use of major search engines and directories.
As a rapidly increasing number of content sources, new and old, migrate or add RSS as a key distribution channel, and as more people utilize RSS newsreaders and aggregators to keep themselves informed, the ability to maintain high exposure and visibility is gradually shifted from a complete attention to major search engines and content optimization techniques to an increasing awareness of RSS feed directories and search tools.
http://www.masternewmedia.org/rss/top55/
I suggest submitting to at least the top 20 if you haven't already.
On top of that I've also started using Blogshares, which is quite a fun game to play, it's a virtual share market based on the value of links and other factors.
You can see my blog rating here: 
I've also been using Malaysia Top Blogs, for the locals, I think I managed to retain 3rd place for some time, that's about my highest, usually I'm around 7-15 depending on my traffic (it works on unique hits.
There's also HotorNot for blogs..
Kinda pointles, but fun.
I also find sitemeter good for some free simple statistics:
Will post Jakarta update and pictures soon
Have fun, and see you at the party this weekend! Yeah!
10 comments
